Thursday, October 3, 2024

Beta update: Data Loss Prevention enforcement in Gmail is now instantaneous

[Update - October 9, 2024]: There has been a slight change to the rollout of this feature. To help ensure optimized performance, this will now be an extended rollout (potentially longer than 15 days for feature visibility). We anticipate that rollout will be complete by early December and will provide another update confirming rollout is complete.


What’s changing 

Today, we are announcing enhancements for the Data Loss Prevention for Gmail open beta, which are designed to improve usability without compromising sensitive data protections for Gmail. Once deployed, users will receive instant notifications on risks to applicable DLP policies prior to leaving their inbox, instead of having DLP rules evaluated after the message has already left the inbox. In addition to more timely user feedback, this capability, called synchronous DLP, helps educate users about the potential risk of leaking sensitive information. 


We’re also introducing a new action for DLP rules, “Warn”, which will notify users about potentially sensitive data while providing the option to send the message based on a user’s assessment of a risk. For added safety, the DLP service will scan messages one additional time after they leave the sender's mailbox.


Who’s impacted

Admins and end users


Why it matters 

Data breaches are one of the most common and costly security issues facing organizations. Often these breaches originate from within an organization by unintentional or intentional actions by their users. Data loss prevention capabilities help prevent this exfiltration of data and helps guide users about what information to share. To help safeguard sensitive information, organizations can create and enforce policies that not only detect and block sensitive information from being shared, but educate users on what information sharing is or is not appropriate and how to be compliant with those guidelines. Specifically, data loss prevention rules can look for sensitive text stings, custom detectors, or predefined detectors in outgoing messages sent internally or externally. 


The latest update for data loss prevention rules in Gmail brings the experience in line with Google Drive and Google Chat, which are already adopted broadly by Google Workspace customers. You can refer to our Help Center for more information about data loss prevention in Gmail.


Additional details

Customizable warning messages
DLP rules can be configured to block the message, warn users about sensitive information, or quarantine the message. When sensitive information is detected, users will be shown a dialog box notifying them of the risk. Admins can now choose to customize the information shown to end users in these dialog boxes, including why their message was flagged, what they can do to unblock themselves, and links to additional resources to educate them further.

Example of a custom warning message




Continued asynchronous scanning of messages
While messages will now be scanned synchronously, messages will go through additional scanning asynchronously (after the message leaves the inbox) for an additional layer of protection. This includes messages that are sent automatically, such as auto-forward or scheduled send, and messages sent from non-Gmail clients.


Getting started

  • Admins:
    • Data loss prevention in Gmail is available in open beta for select Google Workspace customers. These rules can be configured at the domain, OU, or group level. DLP rules can be enabled in Gmail in the Admin console under Security > Access and data control > Data protection. Note that with the new synchronous scanning, your end users will begin seeing dialog boxes related to these rules before messages leave the inbox. These will be displayed when using Gmail on the web and mobile.

    • Visit the Help Center to learn more about controlling sensitive data shared in Gmail. Note that you can modify existing DLP rules for Drive and Chat to also apply to Gmail. 

    • DLP events can be reviewed in the Security Investigation Tool or Security > Alert Center, if alerts are configured in rules.

    • We recommend selecting “Audit only” when you’re setting up a new rule in order to test and monitor its performance, or to passively monitor the environment without interrupting email flow for your users. There are no changes to the “Audit only” action with this update, they will continue to operate as usual.

  • End users: Depending on the data loss prevention rules configured by your admin, you may see a dialog letting you know that:

    • Your message is blocked: Your message contains information that cannot be shared — you’ll need to remove it in order to send your message.
Dialog in case of a blocked message
    • Your message contains sensitive information: Your message contains information that is sensitive, but can be shared — you can decide whether to send it or edit the message to exclude this information. Note that your admin will be notified about this activity.


      Dialog in case of a warning

    • Your message contains sensitive information that requires review: Your message contains information that will need to be reviewed by an admin. You’ll have the option to submit it for review, and upon review it will be released for delivery or declined. You may receive a notification about the message being declined from delivery.


      Example of a quarantine message

Rollout pace

Availability

Available for Google Workspace:
  • Enterprise Standard, Enterprise Plus
  • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
  • Frontline Standard
  • Cloud Identity Premium customers

Resources